A Chinese ad firm is using malware to get more clicks

Advertising agencies go to great lengths to spread their clients’ messages. Now, researchers have uncovered a new approach: malware.

This month, cybersecurity company Check Point reports that a Chinese group called Yingmob has distributed mobile device malware on a massive scale, apparently alongside a legitimate advertising analytics business.

Listed as based in Beijing's Chaoyang District, Yingmob, a subsidiary of MIG Unmobi Technology Inc., markets itself like any other advertising firm. Its professional-looking website claims its easy-to-deploy ads support text, pictures, and video, and don't affect the user experience. It offers pop-up, sidebar, and in-app adverts. But Check Point's report claims that part of the company—the “Development Team for Overseas Platform,” which employs a staff of 25 people—is responsible for malware it has dubbed “HummingBad.”

This malware allows the injection of adverts into victims' devices. Whenever someone clicks on one of these adverts, Yingmob gets paid, just like a typical advertising campaign. The first infection method Check Point came across was a “drive-by-download,” whereby Yingmob’s malware targets a victim when they visit a malicious website, then proceeds to download malicious apps onto their device. In its analysis, Check Point writes that nearly 10 million people are using malicious Android apps made by Yingmob.

Using its privileged access to infected devices, the company also installs apps on behalf of others, raking in more revenue. In all, the researchers estimate that Yingmob is making $300,000 a month from its campaign.

According to Check Point’s estimates, which are based on an analysis of the HummingBad code and Yingmob's account on a tracking and analytics service, the company's Android apps display more than 20 million advertisements and get 2.5 million clicks per day. Meanwhile, the HummingBad malware installs more than 50,000 fraudulent apps in the same timeframe. Check Point adds that the majority of HummingBad's victims are in China and India, though there are hundreds of thousands of infections in Turkey, the US, Mexico, and Russia too.

But this report just looks at the Android side—Yingmob has also been linked to malware on iOS. In October 2015, researchers from Palo Alto Networks identified “YiSpecter,” a piece of iOS malware that primarily targeted users in China and Taiwan, and which had already been in the wild for at least 10 months. The main link between these two pieces of malware is that they share the same command and control server addresses—the servers that hackers use to communicate with their infected devices. This suggests that Yingmob is behind both.

Internet records show the same email address used to register Yingmob.com is behind a slew of other domains, such as one for an apparent mobile advertising platform called 1Mob; another site selling analytics services; and a third for “mobile marketing services,” which promises “ultra-high returns.” Although Yingmob publicly lists itself as being based in Beijing, Check Point writes that the malware division is located in Chongqing. Neither Yingmob or the registrant behind the other connected sites responded to a request for comment.